Saturday, November 22, 2008

New Rule for registration processes

I just signed up for a site that asked for a password. Like most people, I don't create a different password for every site I visit I'd never be able to remember them.

Instead, I have a set of them, for differing levels of importance or required security. It works well, and so far I don't think I've ever had any security breaches.

The problem though is knowing which password you should use beforehand. This is a problem because some sites will email include your password in plain text in the welcome email after registration.

We all know that as soon as a password is emailed in plain text is can no longer be considered secure. These sites will no doubt also email it in plain text if you use the "Forgot Password" link too, which of course makes it worse.

I'm actually ok with this: some sites simply aren't that important and if you account gets hacked then meh. But I would like to know beforehand that they are going to be treating my password in this way before I decide which password I'm going to use.

So, New Rule: registrations should disclose if they are going to be sending the password via email in plain text prominently on the registration form itself.


Stephen O'Neill said...

I currently have a bit of a password trauma.

My Ebay account got hacked somehow and, what with Ebay being the great shining beacon of customer service satisfaction that they are, I'm not entirely sure how it happened.

I'm not the first person I've known this happen to either - which makes me moderately suspicious that there is a weakness at Ebay's end, or else they come under more prolonged attacks. I do not know whether my password has been compromised or a hash of it which some tier of the Ebay platform passes around. I have to err on the side of caution and assume the latter.

Anyway - whilst I have the same "how can I remember that" problem I have fewer degrees of secure password than you do. I have one for banking and I one everything else. The former is Very Strong, the latter is Strong. I have to assume that my Strong password and email combination has been compromised, but what do I do to create a new password? (incidentally I use my Strong password on spotify but suspect it's strong enough to resist a brute force from the hash)

In order to be able to remember the password my new password would have to be f('website url' and 'my secret password').

My mind then explodes because in theory if someone compromises one of my derived passwords and is sat looking at the compromised site and another site I have a login on then they can probably reverse engineer my function.

But I guess it's highly unlikely anyone would try to go to that extreme against me - and maybe I just need a function that is simple to use but not too obvious - e.g. include a digit for all the vowels in the address excluding 'e'. Or the derived password doesn't contain all letters from 'my secret password' depending on some algorithm over the website url.

I'm putting too much thought into this, just like the time I got upset about using MD5 as a test for uniqueness.

Stephen O'Neill said...

Gah - I meant I have to assume the former, that my password has been compromised.